Refactor: Add ApplicationsEnabledMiddleware to gate hacker application mutations

[balebbae]

Summary

Follow-up to PR #47 (resolves #31). Refactor the applications enabled toggle to use a middleware pattern, consistent with how AdminScheduleEditPermissionMiddleware gates schedule mutations.

Context

PR #47 introduced GET /v1/applications/enabled and POST /v1/superadmin/settings/applications-enabled to allow superadmins to toggle whether hackers can submit applications. Currently, the toggle exists but is not enforced on hacker mutation routes.

Tasks

• Move handlers to settings.go — getApplicationsEnabled and setApplicationsEnabled are settings operations, not application CRUD. Move them to cmd/api/settings.go for consistency with other setting toggles (getReviewAssignmentToggle, getAdminScheduleEditToggle, getHackathonDateRange).

• Create ApplicationsEnabledMiddleware in cmd/api/middlewares.go — Following the AdminScheduleEditPermissionMiddleware pattern:

  1. Call app.store.Application.GetApplicationsEnabled(ctx)
  2. If disabled, return 403 Forbidden — "applications are currently closed"
  3. If enabled, call next.ServeHTTP(w, r)

• Apply middleware to hacker mutation routes in cmd/api/api.go:

  r.Route("/applications", func(r chi.Router) {
      r.Get("/me", app.getOrCreateApplicationHandler)
      r.Get("/enabled", app.getApplicationsEnabled)
  
      r.Group(func(r chi.Router) {
          r.Use(app.ApplicationsEnabledMiddleware)
          r.Patch("/me", app.updateApplicationHandler)
          r.Post("/me/submit", app.submitApplicationHandler)
          r.Post("/me/resume-upload-url", app.generateResumeUploadURLHandler)
          r.Delete("/me/resume", app.deleteResumeHandler)
      })
  })

• Add tests for the middleware (see cmd/api/schedule_test.go for reference)

• Update Swagger docs if any response codes change

Blocked by

This issue should only be started after PR #47 is merged with any requested fixes.

Labels

enhancement, refactor